PropTech Corner
By David Trepp
Employee and Visitor Badge Best Practices
Many commercial real estate organizations rely on security badges for both employees and vendors, and these badges typically
control visitor access. But if an attacker can imitate your company badge, then the system can actually work against you, as
interlopers may be misperceived as legitimate.
First and foremost, it’s important to point out that keeping images of company ID badges out of the public domain is essential.
No matter how well constructed your company badges are, if hackers have images to replicate, your security will suffer. In our
penetration test engagements, the BPM InfoSec team routinely visits client websites, newsletters, Facebook and LinkedIn
pages, among others, to harvest badge images for replication.
When designing badges, there are a few steps any company can implement to increase security and deter unauthorized guests
from entering a workplace.
1. Color-coding badges for different privilege levels is considered a good practice, e.g. green for employees, red for
visitor with escort required, etc. That way, employees can recognize clearance levels and escort requirements from
down a long hallway, at nothing more than a glance.
2. A hologram on badges can make them extremely difficult for hackers to replicate with a printer and laminator.
3. Printing something on the back of the badge is also helpful, as badges commonly get turned around. In a recent
engagement, our onsite assessor spoofed a company badge, but didn’t think it looked very realistic. So, he just
flipped the badge over; it was white on the back like everyone else’s, and he was presumed credible with nothing
more than a white card hanging from his belt.
4. It is also considered a best practice to standardize the pictures on badges, i.e. same size, same lighting, same
background, etc. That way, an employee can glance at a picture and know it’s a “company-issued” headshot.
Taken together, these guidelines can help badges to work for your company, instead of against it. n
David Trepp is a Partner in BPM’s Information Security Assessment Services Practice. Contact David at
[email protected] or 541-687-5222.
16 BPM Real Estate Insights